Global privacy expectations for social media platforms and other sites to safeguard against unlawful data scraping

The Jersey Office of the Information Commissioner (JOIC) and 11 of its international data protection and privacy counterparts have released a joint statement to address the issue of data scraping on social media platforms and other publicly accessible sites.

Data scraping technologies, which are being increasingly used to collect and process vast amounts of individuals’ personal information from the internet, raise significant privacy concerns as these technologies can be exploited for purposes including monetisation through re-selling data to third-party websites, including to malicious actors, private analysis or intelligence gathering.

This initiative has been led by the 'International Enforcement Working Group', a sub-group of the Global Privacy Assembly, which connects more than 130 data protection authorities around the world.

In recent years, data protection authorities around the world have seen increased reports of mass data scraping from social media applications and other websites that host publicly accessible personal information. This type of activity was evidenced most recently by the investigation undertaken by the UK Information Commissioner's Office which found that Clearview AI’s scraping of billions of images of people from across the Internet represented mass surveillance and was a clear violation of privacy rights.

The JOIC and its international colleagues look forward to receiving feedback from various companies running social media platforms over the coming weeks about how those organisations currently comply, or intend to comply, with the expectations and principles detailed in the joint statement.

Local organisations are reminded of their obligations under the Data Protection (Jersey) Law 2018 which are likely relevant in the context of data scraping:

- An organisation must take reasonable steps to ensure personal information is processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
- In the case of a personal data breach, the controller must notify the Jersey Data Protection Authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach to the data subject.

Finally, the signatories remind individuals that they can lose control over the information they make public online, and that they should consider carefully what personal information they share, before doing so.

The signatories of the joint statement are:

Jersey Office of the Information Commissioner

Information Commissioner’s Office, United Kingdom

Office of the Australian Information Commissioner

Office of the Privacy Commissioner of Canada

Office of the Privacy Commissioner for Personal Data, Hong Kong, China

Federal Data Protection and Information Commissioner, Switzerland

Datatilsynet, Norway

Office of the Privacy Commissioner, New Zealand

Protection of Personal Data, Superintendencia de Industria y, Comercio, Colombia

Commission Nationale de contrôle de la protection des Données à caractère Personnel, Morocco

Agency for Access to Public Information, Argentina

National Institute for Transparency, Access to Information and Personal Data Protection (INAI), Mexico

Read Joint Statement here